Researchers are analyzing a new rootkit for 64-bit Linux systems that injects iFrames onto websites and redirects traffic to malicious sites that install additional malware. It also accesses the system's memory and leverages the kernel to help conceal itself.
At start-up, the module "creates an initial HTTP injection configuration and installs the inline function hook to hijack TCP connection contents," according to Georg Wicherski, senior security researcher at CrowdStrike. Next, it creates a thread that establishes communication with the command-and-control server for use in updating the injection configuration. It then hides the kernel module itself, using direct kernel object manipulation.